-
7/25/2019 nureg-cr-5500-vol-5.pdf
1/213
INEL-95/0035
February 1996
Emergency Diesel GeneratorPower System Reliability19871993
G. M. GrantJ. P. Poloski
A. J. LuptakC. D. Genti llonW. J. Galyean
-
7/25/2019 nureg-cr-5500-vol-5.pdf
2/213
INEL-95/0035
Emergency Diesel GeneratorPower System Reliability
19871993
G. M. GrantJ. P. PoloskiA. J. LuptakC.D. GentillonW.J. Galyean
Published February 1996
Idaho National Engineering LaboratoryNuclear Risk Management Technologies Department
Lockheed Martin Idaho TechnologiesIdaho Falls, Idaho 83415
Prepared for theReliability and Risk Assessment Branch
Safety Programs DivisionOffice for Analysis and Evaluation of Operational Data
U.S. Nuclear Regulatory CommissionWashington, DC 20555
Under DOE Idaho Operations OfficeContract DE-AC07-94ID13223
Job Code E8246
-
7/25/2019 nureg-cr-5500-vol-5.pdf
3/213
ABSTRACT
This report documents an analysis of the reliability of emergency
diesel generator (EDG) power systems at U.S. commercial nuclear plants
during the period 19871993. To evaluate EDG power system performance,
estimates are given of individual EDG train reliability to supply emergency
ac power to the safety-related bus. The estimates are based on EDG train
performance data that would be typical of an actual response to a low-
voltage condition on a safety-related bus for averting a station blackoutevent. A risk-based analysis and an engineering analysis of trends and
patterns are performed on data from EDG operational events to provide
insights into the reliability performance of EDGs throughout the industry
and at a plant-specific level. Comparisons are made to EDG train statistics
from Probabilistic Risk Assessments, Individual Plant Examinations, and
NUREG reports, representing 40% of the U.S. commercial nuclear power
plants. In addition, EDG train reliability estimates and associated
uncertainty intervals are compared to station blackout target reliability
goals.
Job Code: E8246Technical Assistance in Reliability and Risk Analysis
iii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
4/213
iv
-
7/25/2019 nureg-cr-5500-vol-5.pdf
5/213
EXECUTIVE SUMMARY
This report presents an evaluation of the performance of emergency diesel generator (EDG)trains at U.S. commercial nuclear power plants. The study is based on the operating experiencefrom 1987 through 1993, as reported in Licensee Event Reports (LERs) and Special Reports.
The data extracted from LERs and Special Reports for plants reporting under Regulatory Guide1.108 requirements were analyzed in three ways (referred to in this report for simplicity as RG-1.108 data). First, the EDG train unreliability was estimated, and the factors affectingunreliability were determined. The estimates were analyzed to uncover trends and patternswithin EDG train reliability. The trend and pattern analysis yielded insights into the performanceof the EDG train on plant-specific and industry-wide bases. Second, comparisons were madebetween the estimates calculated in this report and EDG train unreliabilities reported in theselected PRAs, IPEs, and NUREGs (PRA/IPEs). The objective of the comparisons was toindicate where RG-1.108 data support or fail to support the assumptions, models, and data usedin the PRA/IPEs. Third, plant-specific estimates of EDG train reliability derived from the RG-1.108 data were calculated. These estimates were compared to the station blackout (SBO) target
reliability goals. For the non-RG-1.108 population of EDGs, the results of a cursory analysis andcomparisons derived solely from LER data associated with unplanned demands were presented.
Twenty-nine plant risk source documents, PRA/IPEs, were used for comparison with theEDG reliability results obtained in this study. The information extracted from the sourcedocuments contain relevant EDG train statistics for 44 plants comprising 97 EDGs. The datarepresent approximately 40% of the plants and EDGs at operating nuclear power plants. Of the44 plants, 29 report in accordance with the requirements identified in Regulatory Guide 1.108.
EDG train unreliabilities were estimated using a fault tree model to combine broadlydefined train failure modes such as failure to start or failure to run into an overall EDG trainunreliability. The failure probabilities for the individual failure modes were calculated by
reviewing the failure information, categorizing each failure event by failure-mode, and thenestimating the corresponding number of demands (both successes and failures). ApproximatePRA/IPE-based unreliabilities were calculated from the failure data documented in therespective PRA/IPE for the start, load, run, and maintenance phases of the EDG train operation.
The estimated EDG train unreliability derived from unplanned and cyclic test demand datafor the RG-1.108 plants was 0.044. The EDG train unreliability was estimated from 50 failuresobserved during 181 unplanned demands and 682 cyclic (18 month) surveillance tests. Theobserved failures were classified as either failure to start, failure to run, or maintenance out ofservice. Maintenance out of service was further classified as to whether or not the plant was in ashutdown condition at the time of the demand. In addition, recovery of EDG trains from failures
during unplanned demands were identified. The unreliability estimate includes consideration ofrecovery of EDG train failures, maintenance out of service while the plant is not in a shutdowncondition, and assumes an 8-hour mission time. Maintenance out of service is the majorcontributor to EDG train unreliability. Approximately 70% of the unreliability is attributed tomaintenance being performed on an EDG train at the time of an unplanned demand. If recoveryis excluded, the estimate of an EDG train unreliability is 0.069. The causes of unreliability wereprimarily electrical in nature and typically the result of hardware malfunctions.
v
-
7/25/2019 nureg-cr-5500-vol-5.pdf
6/213
-
7/25/2019 nureg-cr-5500-vol-5.pdf
7/213
The effect of maintenance unavailability on EDG reliability is significant based on the RG-1.108 data. The technical basis for the Station Blackout Rule assumes that such unavailability isnegligible (0.007). The estimate derived from the RG-1.108 data for maintenance out of serviceis 0.03. Forty of the 44 RG-1.108 plants with a 0.95 target reliability attain the goal whencomparing mean estimates. The reliability estimate for the overall population of EDGs at RG-
1.108 plants with a 0.95 target goal is 0.956, with a corresponding uncertainty interval of 0.92,0.99. For the RG-1.108 plants with an EDG target reliability goal of 0.975, none of the EDGsmeet the target reliability goal. The reliability estimate for the overall population of EDGs atRG-1.108 plants with a 0.975 target goal is 0.954, with a corresponding uncertainty interval of0.91, 0.98.
vii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
8/213
Catawba 1
Catawba 2
Clinton
Farley 1
Farley 2
McGuire 1
McGuire 2
River Bend
South Texas 1
South Texas 2
Susquehanna 1
Susquehanna 2RG-1.108 (24 hrs)
Grand Gulf
LaSalle 1
LaSalle 2
Nine Mile Pt. 2
Palo Verde 1
Palo Verde 2
Palo Verde 3
RG-1.108 (8 hr)
Callaway
Salem 1
Salem 2
Sequoyah 1
Sequoyah 2
Waterford 3
Vogtle 1
Vogtle 2
Zion 1
Zion 2
RG-1.108 (6 hr)
0.000 0.100 0.200 0.300 0.400 0.500
Unreliability Figure ES-1. Plot of PRA/IPE and RG-1.108 estimates of EDG train unreliabilities anduncertainties with recovery for Regulatory Guide 1.108 reporting plants. The FTR contribution
viii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
9/213
is based on the mission time stated in the PRA/IPE (with the exception of Susquehanna and Palo
Verde).
ix
-
7/25/2019 nureg-cr-5500-vol-5.pdf
10/213
Based on the limited failure data (i.e., unplanned demand data only) for the non-RG-1.108
plants, reliability parameters estimated for this population of EDGs tend to agree with those
generated for the RG-1.108 plants. The reliability estimate (without maintenance unavailability) for
the overall population of EDGs at the non-RG-1.108 plants is 0.984, with a corresponding
uncertainty interval of 0.97, 0.99. This unreliability is attributed to hardware-related failures of the
output breaker that were not observed in the RG-1.108 reporting plants. Owing to the sparseness ofthe non-RG-1.108 data, the reliability estimates apply to either SBO target reliability goal. The
reliability estimate for the overall population of EDGs at the non-RG-1.108 plants with
maintenance unavailability included is 0.958, with a corresponding uncertainty interval of 0.92,
0.98.
Trending analysis of the failure rate, unplanned demand rate and unreliability data by year
indicates no statistically significant trend over the 7 years of the study period. However, the
smallest number of events for any given year did occur in 1993. The analysis of plant-specific
unreliability by low-power license date indicates no statistically significant trend. However,
analysis of plant-specific EDG failure rate by low-power license date identifies a statistically
significant trend. The trend indicates that the plants with low-power license dates from 19801990 typically had an EDG failure rate greater than those plants with a low-power license date
prior to 1980. The trend observed by low-power license date for the EDG failure rate requires
further investigation as to the cause of the trend. Information in the LERs was not sufficient to
determine the reason for the trend. Each of the trending analyses are provided in Figures ES-2
through 6.
1987 1988 1989 1990 1991 1992 1993
Year
0.000
0.050
0.100
0.150
0.200
0.250
0.300
0.350
Unplanneddemands/EDGy
ear
90% conf. band on the fitted trend
x
-
7/25/2019 nureg-cr-5500-vol-5.pdf
11/213
Figure ES-2. EDG unplanned demands per EDG-year with 90% confidence intervals andfitted trend. The trend is not statistically significant (P-value=0.08).
xi
-
7/25/2019 nureg-cr-5500-vol-5.pdf
12/213
1987 1988 1989 1990 1991 1992 1993
Year
0.000
0.100
0.200
0.300
0.400
0.500
0.600
0.700
0.800
Failures/EDGy
ea
r
Figure ES-3. EDG failures per EDG-year with 90% confidence intervals and fitted trend. Thetrend is not statistically significant (P-value=0.30).
1987 1988 1989 1990 1991 1992 1993
Year
0.000
0.025
0.050
0.075
0.100
0.125
0.150
0.175
Unreliability
Year-specific unreliability & uncertainty interval
90% conf. band on the fitted trend
xii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
13/213
Figure ES-4. EDG train unreliability by calendar year, based on a constrained noninformativeprior and annual data. Ninety percent Bayesian intervals and a fitted trend are included. The
trend is not statistically significant (P-value=0.75).
1965 1970 1975 1980 1985 1990 1995
Low-power license date
0.00
0.03
0.05
0.08
0.10
0.13
0.15
0.18
0.20
Unreliability
Plant-specific unreliability and 90% conf. interval
Fitted trend line 90% Conf. band on the fitted trend
Figure ES-5. Plant-specific unreliability based on constrained noninformative priordistributions and an 8-hour mission, plotted against low-power license date. Ninety percent
Bayesian intervals and a fitted trend are included. The trend is not statistically significant (P-
value=0.62).
1965 1970 1975 1980 1985 1990 1995
Low- ower license date
0.00
0.50
1.00
1.50
2.00
Failure
sperEDG-year
Plant-specific EDG failure rate and 90% conf. interval
Fitted trend line 90% Conf. band on the fitted trend
xiii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
14/213
Figure ES-6. Plant-specific EDG failures per EDG-year, plotted against low-power licensedate. Ninety percent Bayesian intervals and a fitted trend are included. The trend, based on a fit
of the logarithms of the rates as a function of low-power license date, is statistically significant
(P-value=0.007).
xiv
-
7/25/2019 nureg-cr-5500-vol-5.pdf
15/213
ACKNOWLEDGMENTS
This report benefited from the questions and comments of
P. W. Baranowsky, S. E. Mays, and T. R. Wolf of the Nuclear Regulatory
Commission.
Technical reviews by J. H. Bryce, T. J. Leahy and C. L. Atwood of the
INEL, D. C. Bley of Buttonwood Consulting, G. W. Parry of the NUSCorp., and F. H. Rowsome of FHR Associates contributed substantially to
the final report.
Technical contributions by F. M. Marshall, D. A. Prawdzik, and P. H.
McCabe of the INEL contributed to the final report.
xv
-
7/25/2019 nureg-cr-5500-vol-5.pdf
16/213
xvi
-
7/25/2019 nureg-cr-5500-vol-5.pdf
17/213
CONTENTS
ABSTRACT ................................................................................................................... iii
EXECUTIVE SUMMARY ............................................................................................ v
ACKNOWLEDGMENTS .............................................................................................. xi
ACRONYMS.................................................................................................................. xix
DEFINITION OF TERMS ............................................................................................. xxi
1. INTRODUCTION ..................................................................................................... 1
2. SCOPE OF STUDY .................................................................................................. 3
2.1 EDG Train...................................................................................................... 3
2.1.1 EDG Operating Characteristics ......................................................... 32.1.2 EDG Support Subsystems.................................................................. 4
2.1.3 EDG Train Boundaries ...................................................................... 5
2.2 Operational Data Collection .......................................................................... 7
2.2.1 Methodology for Data Characterization ............................................ 8
2.3 Methodology for Analyzing Operational Data .............................................. 11
2.4 Criteria for Selecting PRAs and IPEs for Risk Comparison ......................... 12
3. RISK-BASED ANALYSIS OF THE OPERATIONAL DATA ............................... 14
3.1 Unreliability Estimates Based on RG-1.108 Data ......................................... 15
3.1.1 EDG Train Unreliability .................................................................... 17
3.1.2 Investigation of Possible Trends........................................................ 203.2 Comparison of PRAs ..................................................................................... 21
3.3 Additional PRA Insights ................................................................................ 24
3.3.1 Failure to Start ................................................................................... 25
3.3.2 Failure to Run .................................................................................... 25
3.3.3 Maintenance Out of Service .............................................................. 28
3.3.4 Common Cause Failure...................................................................... 28
3.4 Summary of Unplanned Demand Data for Non-RG-1.108 Plants ................ 31
3.5 Station Blackout Insights ............................................................................... 34
3.5.1 EDG Target Reliability 0.95 .............................................................. 34
3.5.2 EDG Target Reliability 0.975............................................................ 35
3.5.3 EDG Train Reliability Comparisons to NUREG-1032 ..................... 373.5.4 SBO Reliability for the Non-RG-1.108 Plants .................................. 39
4. ENGINEERING ANALYSIS OF THE OPERATIONAL DATA............................ 40
4.1 Industry-wide Evaluation............................................................................... 42
4.1.1 Trends by Year................................................................................... 42
4.1.2 Factors Affecting System Reliability................................................. 43
4.1.3 Time-Trends Observed in FTR Events .............................................. 50
4.1.4 Comparison with Previous Studies .................................................... 51
xvii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
18/213
4.2 Individual Plant Evaluation ........................................................................... 52
4.3 Trends by Manufacturer................................................................................. 62
4.4 Evaluation of EDG Failures Based on Low-Power License Date ................. 64
4.5 Common Cause Failure Events...................................................................... 65
4.6 Accident Sequence Precursor Review ........................................................... 66
5. REFERENCES .......................................................................................................... 70
Appendix AEDG Train Data Collection and Analysis Methods................................ A-1
Appendix BEDG Train Operational Data, 19871993............................................... B-1
Appendix CFailure Probabilities and Unreliability Trends........................................ C-1
FIGURES
ES-1. Plot of PRA/IPE and RG-1.108 estimates of EDG train unreliabilities and uncertainties
with recovery for Regulatory Guide 1.108 reporting plants. The FTR contribution is
based on the mission time stated in the PRA/IPE (with the exception of Susquehanna
and Palo Verde).. ....................................................................................................... vii
ES-2. EDG unplanned demands per EDG-year with 90% confidence intervals and fitted trend.
The trend is not statistically significant (P-value=0.08)............................................. viii
ES-3. EDG failures per EDG-year with 90% confidence intervals and fitted trend. The trend
is not statistically significant (P-value=0.30). ........................................................... ix
ES-4. EDG train unreliability by calendar year, based on a constrained noninformative prior
and annual data. Ninety percent Bayesian intervals and a fitted trend are included. The
trend is not statistically significant (P-value=0.75). .................................................. ix
ES-5. Plant-specific unreliability based on constrained noninformative prior distributions and
an 8-hour mission, plotted against low-power license date. Ninety percent Bayesian
intervals and a fitted trend are included. The trend is not statistically significant
(P-value=0.62) ........................................................................................................... x
ES-6. Plant-specific EDG failures per EDG-year, plotted against low-power license date.
Ninety percent Bayesian intervals and a fitted trend are included. The trend, based on a
fit of the logarithms of the rates as a function of low-power license date, is statistically
significant
(P-value=0.007). ........................................................................................................ x
1. Simplified EDG train schematic ................................................................................ 6
2. Illustration of the relationship between inoperability and failure data sets ............... 11
xviii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
19/213
3. EDG train unreliability model with recovery actions................................................ 19
4. EDG train unreliability by calendar year, based on a constrained noninformative prior
and annual data. Ninety percent Bayesian intervals and a fitted trend are included. The
trend is not statistically significant (P-value=0.75) ................................................... 21
5. Plot of PRA/IPE and RG-1.108 estimates of EDG train unreliabilities and uncertainties
with recovery for Regulatory Guide 1.108 reporting plants. The FTR contribution is
based on the mission time stated in the PRA/IPE (with the exception of Susquehanna
and Palo Verde). ........................................................................................................ 23
6. Plot of PRA/IPE and RG-1.108 estimates of failure to start probabilities without recovery
for the Regulatory Guide 1.108 reporting plants. ...................................................... 26
7. Plot of PRA/IPE and RG-1.108 estimates of failure to run probabilities without recovery
for the Regulatory Guide 1.108 reporting plants. The FTR probability is based on the
mission time stated in the PRA/IPE (with the exception of Susquehanna and Palo Verde).27
8. Plot of PRA/IPE and RG-1.108 estimates of maintenance out of service probabilities for
Regulatory Guide 1.108 reporting plants................................................................... 29
9. Non-RG-1.108 and RG-1.108 estimates of EDG train unreliability (includes recovery
and an 8-hour mission time) as compared with the PRA/IPE derived estimates. ..... 33
10. EDG unplanned demands per EDG-year with 90% confidence intervals and fitted trend.
The trend is not statistically significant (P-value=0.08). ........................................... 42
11.
EDG failures per EDG-year with 90% confidence intervals and fitted trend. The trendis not statistically significant (P-value=0.30). ........................................................... 43
12. Histogram of EDG subsystem failures by method of discovery, normalized by percent
contribution................................................................................................................ 44
13 Histogram of EDG subsystem failures by failure mode, normalized by percent
contribution................................................................................................................ 45
14. EDG cumulative number of FTR events observed during the cyclic surveillance tests
24-hour loaded run segment versus known run time of the failure. .......................... 51
15. Plot of EDG subsystem failures observed from 19871993 compared with
previous study periods. .............................................................................................. 52
16. Plant-specific unplanned demand rate per EDG-year with 90% Bayesian intervals. 55
17. Plant-specific failure rate per EDG-year with 90% Bayesian intervals .................... 56
18. EDG plant-specific failure rates versus unplanned demand rate............................... 57
xix
-
7/25/2019 nureg-cr-5500-vol-5.pdf
20/213
19. Plant-specific EDG failures per EDG operating year, plotted against low-power license
date. Ninety percent Bayesian intervals and a fitted trend are included. The trend, based
on a fit of the logarithms of the rates as a function of low-power license date, is
statistically significant (P-value=0.007). ................................................................... 64
xx
-
7/25/2019 nureg-cr-5500-vol-5.pdf
21/213
20. Plant-specific unreliability based on constrained noninformative prior distributions and
an
8-hour mission, plotted against low-power license date. Ninety percent Bayesian
intervals
anda fitted trend are included. The trend is not statistically significant (P-value=0.62). 65
TABLES
1. Plants selected for PRA/IPE comparison................................................................... 13
2. RG-1.108 failure data sources used for estimating EDG-train failure mode probabilities
3. Failure mode data and Bayesian probability information based on plants reporting under
Regulatory Guide 1.108 requirements ....................................................................... 18
4. EDG train unreliability and uncertainty based on RG-1.108 plant data, an 8-hour mission
time, and includes recovery. ...................................................................................... 20
5. Average failure probabilities derived from PRA/IPE information for the Regulatory
Guide 1.108 reporting plants and grouped by assumed mission time. ...................... 22
6. Failure probabilities calculated for 6-, 8-, and 24-hour mission times, based on failure
rates reported in PRA/IPEs and on the estimates calculated from the RG-1.108 data
without recovery. ....................................................................................................... 24
7. Failure mode data and non-informative Bayesian probability estimates based on
unplanned demands at plants not reporting under Regulatory Guide 1.108 requirements.
8. EDG train unreliability estimates (includes recovery and an 8-hour mission time) and
associated 90% uncertainty interval for the RG-1.108 and non-RG-1.108 plants.........
9. Failure mode average estimates derived from PRA/IPE information for the non-RG1.108
plants and grouped by assumed mission time as stated in the PRA/IPE ................... 32
10. Reliability estimates (includes recovery and an 8-hour mission time), including 90%
uncertainty bounds, for RG-1.108 plants with an EDG reliability goal of 0.95. ....... 36
11. Reliability estimates (includes recovery and an 8-hour mission time), including 90%
uncertainty bounds, for plants with an EDG target reliability goal of 0.975............. 38
12. EDG train reliability parameters identified in NUREG-1032 and the corresponding
estimates based on RG-1.108 data. ............................................................................ 38
13. Station blackout target reliability estimates (includes recovery and an 8-hour mission
time), including 90% uncertainty bounds, based on the non-RG-1.108 unplanned
xxi
-
7/25/2019 nureg-cr-5500-vol-5.pdf
22/213
demand data ............................................................................................................... 39
14. EDG failures and unplanned demands by year.......................................................... 42
15. Number of EDG train failures by method of discovery............................................. 44
16. Number of EDG subsystem failures by failure mode................................................ 45
17. EDG train failures and unplanned demands differentiated by plant.......................... 53
18. Distribution of EDG failures by manufacturer for the entire study period (19871993)
19. Number of EDG subsystem failures by manufacturer over the study period (19871993)62
20. Summary of the EDG-related ASP events with CCDP greater than 1.0 E-4 ............ 67
xxii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
23/213
xxiii
-
7/25/2019 nureg-cr-5500-vol-5.pdf
24/213
ACRONYMS
AEOD Analysis and Evaluation of Operational Data (NRC Office)
AP ALCO Power (EDG manufacturer)
ASP accident sequence precursor
BWR boiling water reactor
CB Cooper Bessemer (EDG manufacturer)
CCDP conditional core damage probability
CCF common cause failure
CFR Code of Federal Regulations
CL SACM/Compair Luchard (EDG manufacturer)
ECCS emergency core cooling system
EDG emergency diesel generator
ESF engineered safety feature
EM Electro Motive General Motors (EDG manufacturer)
FC Fairbanks Morse/Colt (EDG manufacturer)
FRFTR failure to recover from failure to run
FRFTS failure to recover from failure to start
FTR failure to run
FTS failure to start
HVAC heating, ventilating, and air conditioning
IPE individual plant examination
INEL Idaho National Engineering Laboratory
LER Licensee Event Report
xxiv
-
7/25/2019 nureg-cr-5500-vol-5.pdf
25/213
LOCA loss-of-coolant accident
LOOP loss of offsite power
MCC motor-control center
MOOS maintenance out of service
NM Nordberg Mfg. (EDG manufacturer)
NPRDS Nuclear Plant Reliability Data System
NRC Nuclear Regulatory Commission
ORNL Oak Ridge National Laboratory
OUTINFO a database of plant outages
PRA probabilistic risk assessment
PWR pressurized water reactor
RF restoration failure
RFP restoration failure, power
RFR restoration failure, reset
RG Regulatory Guide
SAS SAS Institute, Inc.'s commercial software package
SBO station blackout
SCSS Sequence Coding and Search System
SIF self-initiated failure
TD Transamerica Delaval (EDG manufacturer)
WC Worthington Corp. (EDG manufacturer)
xxv
-
7/25/2019 nureg-cr-5500-vol-5.pdf
26/213
xxvi
DEFINITION OF TERMS
Common cause failure (CCF)A set of dependent failures resulting from a common
mechanism in which more than one EDG train exists in a failed state at the same time, or within
a small time interval.
EDG TrainAn EDG train is a single diesel engine, electrical generator, and the associated
support subsystems necessary to power and sequence the electrical loads on the vital ac bus.
Typically, two or more EDG trains constitute the onsite emergency ac power system.
FailureA malfunction of the EDG train or associated support subsystems that prevents
the EDG train from starting and running when a demand has occurred. An administrative
inoperability, such as a missed surveillance test, does not constitute a failure.
Failure to run (FTR)A failure of the EDG train to continue to supply power to its
respective safety-related electrical bus given the EDG train successfully started.
Failure to start (FTS)A failure of the EDG train to either manually or automatically start
on a bus under-voltage condition, reach rated voltage and speed, close the output breaker, or
sequence safety-related electrical loads onto the respective safety-related bus.
DemandAn event requiring the EDG to start and supply power to the safety-related bus.
This event may be the result of a scheduled (i.e., cyclic surveillance test) or an unscheduled (i.e.,
unplanned) demand. An unscheduled demand is an under-voltage condition on the EDGs safety-
related bus thereby requiring the EDG to supply power to the affected bus. A safety injection
signal is not considered an unscheduled demand for this report, since the EDG is not required to
supply power to the safety-related bus for this plant condition.
InoperabilityAn occurrence where one or more EDG trains were not fully operable as
defined by applicable plant technical specifications or Regulatory Guide 1.108. Inoperabilities
may or may not be an actual failure of the EDG train.
Load sheddingAutomatic removal of all electrical equipment powered on an electrical
bus.
Maintenance out of service (MOOS)Failure of the EDG train caused by the EDG train
being out of service for either preventative or corrective maintenance at the time of an unplanned
demand.
Maintenance unavailabilityProbability that the EDG train is unavailable due to MOOS.
Mission timeThe elapsed clock time during which the EDG train is required to provide
power to the safety-related electrical bus. For an under-voltage condition on the safety-related
bus, it is the length of time to successfully recover offsite power. For EDG train testing, it is the
required test run time as specified in the testing program (RG-1.108).
-
7/25/2019 nureg-cr-5500-vol-5.pdf
27/213
xxvii
Operational DataA term used to represent the industry operating experience reported in
LERs, Special Reports, or monthly operating reports. It is also referred to as operational
experience or industry experience.
PRA/IPEA term used to represent the data found in the PRAs, IPEs, and NUREGs.
P-value
The probability that the data set would be as extreme as it is, assuming the modelor hypothesis is correct. It is the significance level (0.05 for this study) at which the assumed
model or hypothesis would be statistically rejected.
RecoveryAn act that enables the EDG train to be recovered from either an FTS or FTR
failure. Recovery of an EDG was only considered in the unplanned demand events, because
these are the types of events where recovery of power to the vital bus is necessary. Each failure
reported during an unplanned demand was evaluated to determine whether recovery of the EDG
train by operator actions had occurred. Some events identified recovery of power to the vital bus
using off-site power when the EDG failed to respond to the bus low-voltage condition. These
events were not considered a successful recovery of the EDG train because the EDG train was
left in the failed state. In these events, the initiator of the bus low-voltage condition was actuallycorrected.
Restoration failureAn incipient failure condition of the EDG train that results from a
failure to restore the EDG to a standby operating condition. A restoration failure reset (RFR)
condition occurs when emergency actuations are reset and a protective trip signal (e.g., low
cooling water flow/discharge pressure, high vibration, etc.) of the EDG is present. This condition
would result in tripping the EDG and a potential station blackout if offsite power was not
previously restored. A restoration failure of offsite power (RFP) condition occurs during a
parallel operation of the EDG with offsite power. During parallel operations, failure mechanisms
exist (e.g., performance of the voltage and speed regulators) for the EDG that are not present
when operating independent of offsite power. These failure mechanisms can trip the EDG and/or
cause electrical disturbances on the electrical bus, potentially resulting in a station blackout
condition.
Safety functionThe requirement that an EDG train starts and loads its associated vital bus
for the duration of its mission time.
SequencerA system device that controls the order and timing of emergency loads that are
automatically loaded onto the safety-related bus. It can be distributed, with various devices
located throughout the electrical system, or discrete, that is, contained in a single cabinet/panel,
and is generally a solid state device.
Self-Initiated Failure (SIF)A special class of EDG train failure to successfully start.
These failures are differentiated from the FTS events because the demand for the EDG train also
causes the EDG train to fail to start. The demand and failure of the EDG train is typically the
result of a sequencer fault that strips the vital bus and subsequently prevents the bus from
loading from the EDG train.
-
7/25/2019 nureg-cr-5500-vol-5.pdf
28/213
xxviii
UnreliabilityProbability that the EDG train will fail to perform its required mission (e.g.,
provide power to a bus for the required time).
-
7/25/2019 nureg-cr-5500-vol-5.pdf
29/213
Emergency Diesel Generator PowerSystem Reliability, 19871993
1. INTRODUCTIONThe U.S. Nuclear Regulatory Commission (NRC), Office for Analysis and Evaluation of
Operational Data (AEOD), in cooperation with other NRC Offices, has undertaken an effort to ensure that
the stated NRC policy to expand the use of probabilistic risk assessment (PRA) within the agency can be
implemented consistently and predictably. As part of this effort, the AEOD Safety Programs Division is
reviewing the functional reliability of risk-important systems in commercial nuclear power plants. The
approach is to compare the estimates and associated assumptions found in PRAs and Individual Plant
Examinations (IPEs) to actual operating experience. The first phase of the review involves the
identification of risk-important systems from a PRA perspective and the performance of reliability and
trending analysis on these identified systems. As part of this review, a risk-related performance evaluation
of emergency diesel generator (EDG) power systems at U.S. commercial reactor plants was performed.
The evaluation measures EDG power system performance using actual operating experience under
conditions most representative of circumstances that would be found in a response to a postulated loss-of-
offsite-power event. To perform this evaluation and make comparisons to the relevant information
provided in the PRA/IPEs, it was necessary to evaluate system reliability on the individual train level.
Therefore, the reliability estimates presented in this study are based on the individual EDG trains in
performing their risk-significant function. These estimates of EDG train reliability were based on data
from unplanned demands as a result of an actual safety-related bus low-voltage condition, and
surveillance tests that best simulate an EDG train response to a safety-related bus low-voltage condition.
Data were not used from component failures that did not result in the loss of the risk-significant function
of the EDG train. Also, partial demands, whether unplanned and not in response to a low-voltage
condition or tests that did not simulate a complete EDG response to a low-voltage condition, were not
used to estimate reliability. These partial demands were not used to estimate reliability because they donot represent the same stresses the EDG train would experience during a loss-of-offsite-power event.
As a result of the focus of this study, the classifications of the various failure modes found in this
report are based on the criteria identified in NUREG/CR-2989, Reliability of Emergency AC Power
Systems at Nuclear Power Plants.1 NUREG/CR-2989 contains the results of a reliability analysis of the
onsite ac power system relative to calculating the expected frequency of a station blackout. Because of
this focus, NUREG/CR-2989 was chosen as the reference for classifications of the various EDG train
failure modes. These criteria are different from those found in Regulatory Guide 1.108, Periodic Testing
of Diesel Generator Units Used as Onsite Electrical Power Systems,2Regulatory Guide 1.9, Selection,
Design, and Testing of Emergency Diesel Generator Units Used as Class 1E Onsite Electrical Power
Systems,3and other studies such as NSAC-108,The Reliability of Emergency Diesel Generators at U.S.
Nuclear Power Plants.
4
The regulatory guides and the NSAC-108 study present criteria for evaluatingEDG train performance during testing that do not always simulate a complete EDG train response as
would be observed during a loss-of-offsite-power event. In addition, the NSAC study and regulatory
guides present different and conflicting definitions of demands, failures, and failure modes than those that
would be used in a risk-based assessment.
The EDG train performance study was based upon the operating experience during the period from
1987 through 1993, as reported in Licensee Event Reports (LERs) and Special Reports. The objectives of
the study were to:
1
-
7/25/2019 nureg-cr-5500-vol-5.pdf
30/213
1. Estimate unreliability based on operational data and compare the results with the assumptions,
models, and data used in selected probabilistic risk assessment and individual plant
examinations.
2. Compare the plant-specific estimates of EDG train reliability to EDG target reliability goals
for station blackout concerns.
3. Provide an analysis of the factors affecting unreliability and determine if trends and patterns
are present in the operational data.
This report is arranged as follows. Section 1 provides an introduction. Section 2 describes the scope
of the study, which includes a description of the EDG train and brief descriptions of the data collection
and analysis methodologies. Section 3 presents the results of the risk-based analysis of the operational
data. Section 4 presents the results of the engineering analysis of the operational data. Section 5 contains
the references.
Appendix A explains in detail the methods used for data collection, characterization, and subsequent
analysis. Appendix B presents summary lists of the data. Appendix C summarizes the detailed statistical
analyses used to determine the results presented in Sections 3 and 4 of the body of the report.
2
-
7/25/2019 nureg-cr-5500-vol-5.pdf
31/213
2. SCOPE OF STUDY
This study documents an analysis of the EDG train operational experience during 19871993 at
U.S. commercial nuclear power plants. The analysis focused on the ability of the EDG train to start and
load its associated safety-related bus for a specified mission time. For the purposes of this study, an EDG
train is a diesel engine, electric generator, and the associated support subsystems necessary to power and
sequence the electrical loads on the safety-related bus. Typically, two or more EDG trains constitute the
onsite emergency ac power system. The EDG train boundaries, data collection, failure categorization,
selection of PRAs and/or IPEs for risk-based comparison, and limitations of the study are described in
this section.
The data used in this report are limited to the set of plants listed in Appendix B, Table B-1.
However, among these plants, exclusions occurred as follows. For the newer plants, data started from the
low-power license date. Several plants were excluded due to atypical EDG trains, lack of EDGs, or
because the plants were not operational during the study period; these are identified in Appendix B. Table
B-1 presents for each plant the operating utility, the EDG manufacturer, model number, the number of
EDGs, and event reporting criteria.
All but one of the plant designs in this study include the capability for at least two EDG trains to
supply power to the plant using independent safety-related buses. The one exception is at Millstone 1
where one EDG train and a gas turbine generator train supply ac power to the emergency ac power
system. In some cases, a swingEDG train is used that can supply power to more than one plant (but not
simultaneously) such that two plants will have a total of only three EDG trains: one EDG train dedicated
to each specific plant and the third, a swing EDG system, capable of powering either plant. There are
other EDG train configurations, as indicated in Table B-1. Each EDG train uses combinations of one or
two diesel engines powering one ac electrical generator. The typical EDG train comprises one diesel
engine per generator. In this study, two diesel engines powering one generator were considered as one
EDG train.
Diesel engines used for fire pumps, specific Appendix R purposes, or non-class 1E backup
generators, were not included in the study. Neither were the high-pressure core spray (HPCS) EDGs
included in this study. The HPCS EDGs are a dedicated power source for the HPCS system and do not
have load/shed sequencers. Because sequencers are absent in the HPCS EDG system and they have a
special function, these data were not included in the study. HPCS EDGs will be included in a separate
HPCS reliability report.
2.1 EDG Train
2.1.1 EDG Operating Characterist ics
The EDG train is part of the standby emergency onsite ac power system and is required to be
available as a reliable source of ac power in the event of a loss of normal ac power during all plant modes(operating or shutdown). Normally, each plant has two safety-related buses that power the electrical loads
required for safe shutdown and emergency conditions. These buses typically receive power from either
the auxiliary or startup transformers, which are powered from the main generator or offsite power. In the
event of the loss of offsite power or the failure of the normal power to the individual safety-related buses,
an EDG train will provide a backup source of power to its associated safety-related bus. The EDG train
has sufficient capacity to power all the loads required to safely shut the plant down or supply emergency
core cooling system (ECCS) loads on a loss-of-coolant accident (LOCA). Plant-specific technical
specifications identify the requirements for the emergency ac power system operability under various
plant conditions.
3
-
7/25/2019 nureg-cr-5500-vol-5.pdf
32/213
Instrumentation is provided in the control room to monitor EDG operation following an automatic
start signal. Control switches are also available to control EDG operation or manually start the EDG if
necessary. In addition, local manual controls are available in or near the EDG room. Generally, any
automatic start of the EDG train is considered an emergency start regardless of whether the start was
planned (i.e., surveillance test) or unplanned (i.e., low-voltage condition). An EDG train is required to
automatically start upon indication of the following:
A loss-of-coolant accident (safety injection signal)
A low-voltage condition on the safety-related bus.
A safety injection signal without a loss of offsite power will automatically start the EDG; however,
the EDG output breaker will not close. The EDG train will not supply power to the safety-related bus for
safety injection events unless a low-voltage condition exists. The EDG will remain at rated speed and
voltage with the output breaker open until manually stopped. Should a LOCA occur during loss of offsite
power, the bus is first stripped of all loads (automatic load shedding), except for selected feeds for motor-
operated valves, and isolated from offsite power sources before the loading sequence begins. After the
bus is stripped of loads, the EDG output breaker automatically closes, and the load sequencerautomatically restarts selected equipment at a preset time interval onto the affected safety-related bus.
A low-voltage condition on the safety-related bus requires automatic starting of the EDG and
closing of the output breaker to supply electrical power to designated equipment on the affected bus.
Should a loss of offsite power on any safety-related bus occur, the bus is stripped of loads by a load-
shedding scheme. Automatic loading of the safety-related bus begins after the EDG has obtained rated
speed and voltage and the EDG output breaker has closed. During an under-voltage condition, the EDG
train operates independently without being in parallel with any other electrical power source. When
normal power again becomes available, the EDG train can then be paralleled with the grid, unloaded,
secured, and returned to standby condition.
For most testing purposes, the EDG train is manually started, brought up to speed, synchronized tothe plant power system, and loaded. Normally, voltage is regulated automatically. If offsite power is lost
during parallel operation with the plant electrical system, the EDG output breaker will open automatically
via an under-frequency relay. The under-frequency relay protects the EDG from an over-load condition
during parallel operation. The under-frequency relay opens only the output breaker and is interlocked to
operate only in parallel operation. Once the output breaker has been opened by the under-frequency relay,
an under-voltage condition on the affected bus will exist, causing the output breaker to reclose
automatically. Operation of the EDG train from this point is similar to the loss-of-offsite-power or under-
voltage condition discussed earlier.
2.1.2 EDG Support Subsystems
Support subsystems are necessary for successful EDG train operation. Instrument and controlsubsystems function to start, stop, and provide operational control and protective trips for the EDG.
Heating and ventilation subsystems maintain the EDG room environment and supply engine combustion
air. Controls for the diesel engines are a mix of pneumatic and electrical devices, depending on the
manufacturer. These function to control the voltage and speed of the EDG. Various safety trips for the
engine and generator exist to protect the EDG. During the emergency startmode of operation, some of
these protective trips associated with the diesel engine are bypassed.
4
-
7/25/2019 nureg-cr-5500-vol-5.pdf
33/213
The cooling subsystem is a closed-loop water system integral to the engine and generator and has
some external cooling medium, generally emergency service water. The lubrication oil subsystem is a
closed-loop system integral to the engine and generator consisting of a sump, various pumps, and a heat
exchanger. The fuel subsystem provides fuel oil from large external storage tanks, having a capacity for
several days of system operation, to a smaller day tank for each engine. The day tank typically has
capacity to operate the engine for 4 to 6 hours. Day tank fuel oil is supplied to the cylinder injectors,
which inject the fuel to each individual cylinder for combustion. The engine governor maintains correctengine speed by metering the fuel oil to each cylinder injector. An air start subsystem provides
compressed air to start the engine. The generator, exciter, and output breaker all function to deliver
electrical power to the safety-related bus.
Automatic load shedding and sequencing controls the order and timing of emergency loads that are
loaded onto the safety-related bus. The purpose of this equipment is to prevent instantaneous full loading
(ECCS loads during a LOCA event) of the engine when the output breaker is closed. The load sequencer
consists of at least two redundant, physically separated, and electrically isolated sets of circuitry, one set
for each EDG train. Each sequencer functions independently and is associated with the sensors and safety
equipment of a particular division. Each EDG train has its own independent automatic load sequencing
equipment to load the generator. The load sequencer can either be a centrally located solid state
configuration or a distributed sequencer with associated relays and timers located in the respective loadcenters on the safety-related buses. The solid state sequencer is normally used in plants designed after
1980. However, some older plants may have been backfitted with this type of sequencer. The pre-1980
plants typically have the distributed sequencer.
2.1.3 EDG Train Boundaries
The EDG train boundaries selected for this study are shown in Figure 1. These boundaries are
consistent with the boundaries identified in similar studies: NUREG-1032, Evaluation of Station
Blackout Accidents at Nuclear Power Plants5and NUREG-2989 (Reference 1).
The boundary of the EDG train includes the diesel engine, electrical generator, generator exciter,
output breaker, load shedding and sequencing controls, EDG room heating/ventilating subsystems(including combustion air), the exhaust path, lubricating oil (with the device that physically controls the
cooling medium, i.e., the nearest isolation/control valve to the EDG boundary that is actuated on a start
signal), fuel oil subsystem (including all storage tanks permanently connected to the engine supply), and
the starting compressed air subsystem. All pumps, valves, valve operators, the power supply breakers for
the powered items, and associated piping for the above support subsystems are inside the boundary of the
EDG train.
5
-
7/25/2019 nureg-cr-5500-vol-5.pdf
34/213
Emergency bus
Diesel engine
125 VDC control power Output breaker
Generator
Exciter
Note: The 125 VDC control
power system is shown for
information only and is not part
of the EDG train.
System Boundary
Cooling Engine
subsystems
Voltage regulatorFuel oil
Lube oil
Air start
Governor
Exhaust
Shutdown
Circuit
Start
Circuit
Sequencer
Figure 1. Simplified EDG train schematic.
6
-
7/25/2019 nureg-cr-5500-vol-5.pdf
35/213
2.2 Operational Data Collection
The sources of EDG train operational data used in this report are based on the LERs found using the
Sequence Coding and Search System (SCSS) database, and the Special Reports found in the NRCs
Nuclear Documents System (NUDOCS) database.
The SCSS database was searched for all records for the years 1987 through 1993 that identified any
failure of an EDG or its associated subsystems within the system boundary defined previously in
Section 2.1.3. The SCSS database was also searched for all unplanned engineered safety feature (ESF)
actuations associated with the EDGs during the study period. The information encoded in the SCSS
database and included in this study encompasses both actual and potential EDG failures during all plant
operating conditions and testing. Differences that may exist between the plants in reporting EDG ESF
actuations and failures were not considered in this report. It was assumed that every plant was reporting
EDG ESF actuations and failures as required by the LER rule, 10 CFR 50.73, and in the guidance of
NUREG-1022,Event Reporting Systems 10 CFR 50.72 and 50.73.6 EDG events that were reported in
accordance with the requirements of 10 CFR 50.72 were not used in this report because of the uncertainty
associated with the completeness of the data provided in the 10 CFR 50.72 report compared to the
information provided in the LER. The LER data provide a more detailed account of the event needed to
determine successful operation or failure of the EDG, the associated failure mode, and the failure
mechanism and cause. The 10 CFR 50.72 report generally only provides a brief description of the event
and does not always contain enough data to determine failure modes or other important reliability- and
risk-related information.
In addition to the LER-based SCSS data, some plants are required by Regulatory Guide 1.108 to
report EDG train failures detected during testing in a Special Report. Approximately 60% of the plants
are required to report EDG failures during a test in accordance with requirements provided in Regulatory
Guide 1.108. The specific plants reporting in accordance with the regulatory guide are identified in Table
B-1. The Special Reports provide information that is not available in the LERs. Therefore, the NUDOCS
database was searched for all records that identified an EDG Special Report for the 19871993 study
period.
Because a significant number of plants identified in Table B-1 are not required to report EDG
failures in accordance with the reporting requirements identified in Regulatory Guide 1.108, not all EDG
data were available for this report. The data available from the plants not reporting to Regulatory Guide
1.108 requirements result from unplanned ESF actuations and any associated failures observed during the
ESF actuations [10 CFR 50.73(a)(2)(iv)], and failures that occurred as the result of a common cause
mechanism [10 CFR 50.73(a)(2)(vii)]. As a result of the reporting differences, the plants reporting in
accordance with Regulatory Guide 1.108 and 10 CFR 50.73 provide the most complete data source for
this study; see Appendix A, Section A-2, for more details.
The information encoded in the above databases were only used to identify LERs and Special
Reports for screening of EDG train failure data. The information necessary for determining reliability,
such as classification of EDG failures, unplanned demands, failure modes, failure mechanisms, causes,
etc., were based on an independent review, from a risk and reliability perspective, of the data provided in
the LERs and Special Reports.
7
-
7/25/2019 nureg-cr-5500-vol-5.pdf
36/213
2.2.1 Methodology for Data Characterization
Failure ClassificationsAs stated above, not all EDG train events contained in the SCSS or
NUDOCS databases resulted in actual failures. The term inoperability is used here to describe any
occurrence in which the plants reported an EDG train problem either in accordance with the requirements
of 10 CFR 50.73, or Regulatory Guide 1.108. The termfailure, which is also an inoperability, is an event
for which the safety function of the EDG train was lost, i.e., the EDG train did not or could not supplyelectrical power to safety-related loads for the required mission time. That is, the condition reported in the
LER or Special Report was such that the EDG train would not have been capable of responding to a low-
voltage condition on its safety-related bus.
The EDG train events identified as failures in this study represent actual malfunctions that prevented
the successful operation of the EDG train. Slow engine starting times that exceeded technical
specification requirements were not considered failures since facility analyses stated that a sufficient
safety margin was present to preclude core damage even with a slow engine starting time. No starts
greater than 19 seconds were observed in the data. Most late starts, were generally 10 or 12 seconds in
duration, and were within a few seconds of the technical specification required start time. EDG train
events reported as potential failures because of inadequate seismic design, environmental qualification, or
other similar concerns were not considered failures. Administrative inoperabilities, such as lateperformance of a surveillance test, did not constitute a failure for the purposes of this report. In addition,
EDG train events related to trouble-shooting activities, such as immediately after major maintenance and
prior to the post-maintenance test, were not considered failures. Also, equipment malfunctions used solely
for the purposes of testing the EDG and which did not affect the EDGs ability to operate, were not
considered failures.
The classification of events as failures in this report differs from the failure criteria defined by
Regulatory Guide 1.108. Regulatory Guide 1.108 differentiates the EDG failures by either valid or non-
valid failures based on the criteria provided in the regulatory guide. Both the non-valid and valid failures
are required to be reported in the Special Reports. As discussed above, the failure classification used in
this report was based on the EDG trains ability to supply electrical power to safety-related loads for the
required mission time. If the EDG train was capable of responding to the bus low-voltage condition, thenthe event reported in the Special Report was classified as an inoperability. However, if the EDG train was
not capable of responding, then the event was classified as a failure.
To estimate unreliability of the EDG train, classification of the failure events by failure mode was
necessary. The review of the operational data identified that when the EDG receives an automatic start
signal as a result of a low-voltage condition, the EDG is required to start, obtain rated speed and voltage,
close the output breaker to the affected safety-related bus, sequence required loads onto the bus, and
maintain power to the bus for the duration of the mission. Failure may occur at any point in this process.
As a result, the following failure modes were observed in the operational data:
Maintenance out of service (MOOS) occurred if, because of preventative or corrective
maintenance, the EDG was prevented from starting.
Failure to start (FTS) occurred if the EDG failed to automatically start, reach rated speed and
voltage, close the output breaker, or sequence the loads onto its respective safety-related bus.
Self-initiating failure (SIF) is a special type of failure to successfully start the EDG. These
failures were differentiated from the FTS events because the event that caused the demand for
the EDG train also caused the EDG train to fail.
8
-
7/25/2019 nureg-cr-5500-vol-5.pdf
37/213
Failure to run (FTR) occurred if at any time after the EDG successfully started delivering
electrical power to its safety-related bus, the EDG failed to maintain electrical power while it
was required.
Restoration failure, reset (RFR) is an incipient failure, which occurs when emergency
actuation signals are reset and a protective trip signal (e.g., low cooling water flow/discharge
pressure, high vibration, etc.) to the EDG is present. This condition would result in trippingthe EDG and creating a potential interruption of power. This mode does not apply to all EDGs
and depends on the design of the trip reset function.
Restoration failure, power (RFP) is an incipient failure, which occurs while attempting to
restore the EDG to standby with the EDG operating in parallel with offsite power. During
parallel operations, failure mechanisms exist (e.g., relevant to the performance of the voltage
and speed regulators) for the EDG that are not present when the EDG is operating independent
of offsite power. These failure mechanisms have the potential to trip the EDG and/or cause
electrical disturbances on the electrical bus, potentially resulting in an interruption of power to
the bus.
Common cause failure (CCF) is a set of dependent failures resulting from a common
mechanism in which more than one EDG train exists in a failed state at the same time, or
within a small time interval.
The operational data used for this report contain events relating to the recovery of a failed EDG
train or restoring ac power to the safety-related bus. Recovery of an EDG train was only considered in
the unplanned demand events, since these are the types of events where recovery of power to the safety-
related bus is necessary. To recover an EDG train from an FTS event, operators have to recognize that the
EDG was in a failed state, manually start the EDG, and restore EDG electrical power to the safety-related
bus. Recovery from an FTR was defined in a similar manner. Each failure reported during an unplanned
demand was evaluated to determine whether recovery of the EDG train by operator actions had occurred.
Some events identified recovery of power to the safety-related bus using off-site power when the EDG
failed to respond to the bus low-voltage condition. These events were not considered a successful
recovery of the EDG train because the EDG train was left in the failed state. In these events, the initiator
of the bus low-voltage condition was all that was actually corrected. Further details of the failure
characterization, including additional measures taken to ensure completeness and correctness of the coded
data, are also included in Section A-1 of Appendix A.
Demand ClassificationsFor the purposes of estimating reliability, demand counts must be
associated with failure counts. The first issue is the determination of what types of demands and
associated failures to consider. Two criteria are important. First, each unplanned demand must reasonably
approximate conditions observed during a bus low-voltage condition. Any surveillance test selected to
estimate reliability needs to be at least as stressful on the train as a demand in response to a bus low-
voltage situation. For this study, this requirement meant that the entire EDG train must be exercised in the
test. Second, counts or estimates of the number of the demands and associated failures must be reliable.
Because the criteria used for estimating the reliability of the EDG train was the ability of the EDG train to
supply power to safety-related loads, unplanned demands as a result of a bus low-voltage condition and
cyclic surveillance test demands (18-month or refueling outage testing) were used to estimate EDG train
reliability.
For this study, an EDG unplanned demand is defined as a low-voltage condition existing on the
safety-related bus that requires the EDG to provide electrical power to the affected bus with all required
loads sequenced onto the bus. The mission time for the unplanned demand is the time from the start of the
9
-
7/25/2019 nureg-cr-5500-vol-5.pdf
38/213
low-voltage condition to restoring normal electrical power to the safety-related bus. Even though an EDG
may not be at design rated load for an unplanned demand, the EDG mission was assumed to be successful
if it carried the required load for the given plant conditions. For example, if loss of normal power
occurred on a safety-related bus and the EDG train restored ac power to the bus at 25% of full load
(which is the load that was required based on plant conditions), then the EDG train was considered as
successfully completing its mission.
Plant technical specifications and Regulatory Guide 1.108 require a variety of surveillance tests.
The frequency of the tests are generally monthly and every operating or refueling cycle (18 months). The
latter tests are referred to in this report as cyclic tests. Cyclic testing, as defined in Section C.2 of
Regulatory Guide 1.108, is intended to completely demonstrate the safety function capability of the EDG
train. Cyclic testing requirements simulate automatic actuation of the EDG train up through completion of
the sequencer actions to load the safety-related bus. The cyclic test's 24-hour loaded run segment does not
simulate an actual emergency demand, since it is performed with the EDG train paralleled with the grid
rather than being in a totally independent mode. However, the data do provide important insights into the
ability of the EDG train to run for extended periods of time.
A partial demonstration (e.g., monthly surveillance testing) of the EDG trains capability was not
considered representative of the EDG trains performance under actual accident conditions. Surveillancetesting information that does not demonstrate the EDG trains safety function completely, as would be
observed during a bus low-voltage condition, was not used in the assessment of EDG train reliability. For
example, the monthly testing requirements identified in Regulatory Guide 1.108 do not test the sequencer
and automatic start circuitry. Because of the guidance provided in Regulatory Guide 1.108, monthly test
demands do not represent the type of demand that the EDG train would experience during a low-voltage
condition. As a result, monthly testing data were not used to estimate the reliability of the EDG train.
Another type of partial demonstration was identified in some unplanned ESF actuations of the EDG.
Some ESF actuations resulted in starting and obtaining rated speed and voltage; however, the EDG train
was not required to supply electrical power to the safety-related bus (the EDG was not loaded). These
ESF actuations may have occurred either as a result of a valid or spurious safety injection signal, or
human error. Events of this nature did not constitute a complete demonstration of the EDG trains safetyfunction. Therefore, these events were excluded from the count of EDG unplanned demands.
For additional details on the counting of unplanned demands and surveillance test demands, see
Appendix A.
10
-
7/25/2019 nureg-cr-5500-vol-5.pdf
39/213
2.3 Methodology for Analyzing Operational Data
The risk-based and engineering analyses of the operational data were based on two different data
sets. The Venn diagram presented as Figure 2 illustrates the relationship between these data sets. Data set
A represents all the LERs and Special Reports that identified an EDG train inoperability from the above-
mentioned SCSS and NUDOCS database searches. Data set B represents the inoperabilities that resulted
in a loss of the safety function (failure) of the EDG train. Data set B is the basis for the engineering
analysis. Data set C represents the actual failures identified from LERs and Special Reports for which the
corresponding demands (both failures and successes) could be counted. As a result, data set C represents
the data used in the risk-based analysis. As discussed in Section 2.2, the test demands must reasonably
approximate the stress on the system that would be experienced during a bus low-voltage condition.
Therefore, only the cyclic test demands and associated failures were used in data set C.
To eliminate any bias in the analysis of the failure and demand data in data set C and to ensure a
homogeneous population of data, three additional selection criteria on the data were imposed: (1) the data
from the plants must be reported in accordance with the same reporting requirements, (2) the data from
each plant must be statistically from the same population, and (3) the data must be consistent (i.e., from
the same population) from an engineering perspective. Each of these three criteria must be met or the
results of the analysis could be incorrectly influenced.
As a result of these three criteria, the failure and demand data that constitute data set C were not
analyzed exclusively on the ability to count the number of failures and associated demands for a risk-
based mission, but also to ensure each of the above three criteria were met. Because the cyclic test data
would provide a larger data set and additional run time information of the EDG, only the plants reporting
EDG train failures in accordance with the requirements of Regulatory Guide 1.108 were used to provide
plant-specific estimates of EDG train reliability. Therefore, the reliability analysis contained in Section 3
was performed separately for the plants reporting in accordance with Regulatory Guide 1.108. Only
population estimates are calculated for those plants not reporting in accordance with Regulatory Guide
1.108.
A
B
C
A applicable technical specifications.
B The safety function of the EDG train was
lost (failure).
C The safety function of the EDG train was lost(failure) and the demand count could be
determined or estimated.
The EDG train was inoperable as defined by
Figure 2. Illustration of the relationship between inoperability and failure data sets.
11
-
7/25/2019 nureg-cr-5500-vol-5.pdf
40/213
The purpose of the engineering analysis was to provide qualitative insights into EDG train
performance, not to calculate quantitative estimates of reliability. Therefore, the engineering analysis used
all the EDG train failures appearing in the operational data. That is, the engineering analysis focused on
data set B which includes data set C with an engineering analysis of the factors affecting EDG train
reliability. For the trending analysis and the data comparisons (e.g., between the plants, between EDG
manufacturers, failure causes/mechanisms, etc.) considered in the engineering analysis, only the data from
the plants reporting in accordance with Regulatory Guide 1.108 were used to ensure a consistency in theresults. The only data excluded in the engineering analysis were the failures attributed to MOOS.
Although the MOOS events result in the inability of the EDG train to supply power, they do not always
involve an actual failure of the EDG train. However, an unplanned demand of an EDG train while
maintenance was being performed on that EDG train during power operating conditions was considered
in estimating unreliability.
2.4 Criteria for Selecting PRAs and IPEs for Risk Comparison
In order to put the operational performance of the EDG trains into a risk perspective, a comparison
of the operational data with a representative sample of the various PRAs and IPEs was made. To ensure a
representative sample of the nuclear power plant population was chosen, the following guideline elements
were used to select the sample:
A cross section of pressurized water reactors (PWRs) and boiling water reactors (BWRs)
A cross section of nuclear steam supply system (NSSS) vendors within PWRs
A cross section of reactor and containment design within the NSSS vendors
A cross section of plants with respect to annual core damage frequency due to internal events
A cross section of the major EDG manufacturers:
ALCO Power AP
Cooper Bessemer CB
Electro Motive (General Electric) EM
Fairbanks Morse/Colt FC
Nordberg Mfg. NM
Transamerica Delaval TD
The plants selected and the information used to make the selections are shown in Table 1. Overall,
44 plants were selected and used in the risk/reliability insights comparisons. The reliability statistics
relevant to EDG train performance were extracted from the PRA/IPE reports7-37and comparisons to the
operational information were performed. Section 3 of this report presents the results of that analysis.
12
-
7/25/2019 nureg-cr-5500-vol-5.pdf
41/213
Table 1. Plants selected for PRA/IPE comparison.
Plant
(EDG mfg.) NSSS Design Containment CDF Report
RG-1.108 reporting plants
Callaway (FC) WEST 4 Loop Dry (3) 5.8E-5 IPE
Catawba 1 and 2 (TD) WEST 4 Loop Ice Cond. 4.3E-5 PRA
Clinton (EM) GE BWR/6 Type 5h Mark 3 2.6E-5 IPE
Farley 1 and 2 (FC) WEST 3 Loop Dry (3b) 1.3E-4 IPE
Grand Gulf (TD) GE BWR/6 Type 5h Mark 3 1.7E-5 NUREG/CR-4550
LaSalle 1 and 2 (EM) GE BWR/5 Type 5g Mark 2 4.4E-5 NUREG/CR-4832
McGuire 1 and 2 (NM) WEST 4 Loop Ice Cond. 4.0E-5 IPENine Mile Point 2 (CB) GE BWR/5 Type 5g Mark 2 3.1E-5 IPE
Palo Verde 1, 2, and 3 (CB) CE 2 Loop Dry (3b) 9.0E-5 IPE
River Bend (TD) GE BWR/6 Type 5h Mark 3 1.6E-5 IPE
Salem 1 and 2 (AP) WEST 4 Loop Dry (3) 4.0E-5 IPE
Sequoyah 1 and 2 (EM) WEST 4 Loop Ice Cond. 1.7E-4 NUREG/CR-4550
South Texas 1 and 2 (CB) WEST 4 Loop Dry (3b) 4.4E-5 PRA/IPE
Susquehanna 1 and 2 (CB) GE BWR/4 Type 5g Mark 2 1.1E-7 IPE
Vogtle 1 and 2 (TD) WEST 4 Loop Dry (3b) 4.9E-5 IPE
Waterford 3 (CB) CE 2 Loop Dry (2e) 1.7E-5 PRA
Zion 1 and 2 (CB) WEST 4 Loop Dry (3b) 4.0E-6 IPE
Non-RG-1.108 reporting plants
Arkansas 1 (EM) B&W 2 Loop Dry (3b) 4.7E-5 PRA summary
Beaver Valley 2 (FC) WEST 3 Loop Sub. Atm. 1.9E-4 IPE
Brunswick 1 and 2 (NM) GE BWR/4 Type 5g Mark 1 2.7E-5 IPE/PRA
Calvert Cliffs 1 and 2 (FC) CE 2 Loop Dry (3b) 3.0E-4 IPE
FitzPatrick (EM) GE BWR/4 Type 4g Mark 1 1.9E-6 IPE/PRA
Indian Point 2 (AP) WEST 4 Loop Dry (3) 3.1E-5 IPE
Indian Point 3 (AP) WEST 4 Loop Dry (3) 4.4E-5 IPE
Kewaunee (EM) WEST 2 Loop Dry (2e) 6.7E-5 IPE
Millstone 1 (FC) GE BWR/3 Type 4g Mark 1 1.1E-5 IPE
Oyster Creek (EM) GE BWR/2 Type 4g Mark 1 3.7E-6 PRA
Peach Bottom 2 (FC) GE BWR/4 Type 4g Mark 1 5.5E-5 NUREG/CR-4550
Surry 1 and 2 (EM) WEST 3 Loop Sub. Atm. 7.4E-5 NUREG/CR-4550
13
-
7/25/2019 nureg-cr-5500-vol-5.pdf
42/213
3. RISK-BASED ANALYSIS OF THE OPERATIONAL DATA
In this section, the data extracted from LERs and Special Reports for plants reporting underRegulatory Guide 1.108 requirements were analyzed in three ways. First, the EDG train unreliability isestimated for those plants reporting under Regulatory Guide 1.108 requirements. (The descriptor used toidentify the failure data and estimates calculated for the Regulatory Guide 1.108 plants in this study is
"RG-1.108.") The RG-1.108 estimates are analyzed to uncover trends and patterns within EDG trainreliability in U.S. commercial nuclear power plants. The trend and pattern analysis provides insights intothe performance of the EDG train on plant-specific and industry-wide bases. Second, comparisons aremade between the RG-1.108 estimates and EDG train unreliabilities reported in the selected PRAs, IPEs,and NUREGs. The objective of the comparisons is to indicate where RG-1.108 data support or fail tosupport the assumptions, models, and data used in the PRAs, IPEs and NUREGs. Third, RG-1.108 plant-specific estimates are made of EDG train reliability. These estimates are compared to the plant-specificstation blackout target reliabilities. For the non-RG-1.108 population of EDGs, the results of a cursoryanalysis and comparisons derived solely from the unplanned demand data are presented.
Twenty-nine plant risk source reports (i.e., PRAs, IPEs and NUREGs) were used for comparisonwith the EDG reliability results obtained in this study. For the purposes of this study, the source
documents will be referred to collectively as PRA/IPEs. Distinctions between reference reports arenoted where necessary. The information extracted from the source documents contain relevant EDG trainstatistics for 44 plants comprising 97 EDGs. The data represent approximately 40% of the plants andEDGs at operating nuclear power plants. Of the 44 plants, 29 plants report according to Regulatory Guide1.108 requirements. The analysis presented in this section primarily focuses on the 29 RG-1.108 plants.The 15 non-RG-1.108 plants are evaluated in the context of the unplanned demand data reported by theseplants under 10 CFR 50.73 reporting requirements.
EDG train unreliabilities were estimated using a fault tree model to combine broadly defined trainfailure modes such as failure to start or failure to run into an overall EDG unreliability. The probabilitiesfor the individual failure modes were calculated by reviewing the failure information, categorizing eachfailure event by failure-mode and then estimating the corresponding number of demands (both successesand failures). Approximate PRA/IPE-based unreliabilities were calculated from the failure data for the
start, load, run, and maintenance phases of the EDG train. The EDG train-level unreliabilities and failureprobabilities extracted from the PRA/IPEs are compared to the RG-1.108 and non-RG-1.108 results. Asummary of the major findings are presented here:
The estimate of EDG train unreliability derived from unplanned demand and cyclic test datafor plants reporting under Regulatory Guide 1.108 requirements was determined to be 0.044.This estimate includes recovery of EDG train failures that did not require repair and assumesan 8-hour run time of the EDG. If recovery is excluded, the estimate of an EDG trainunreliability is 0.069.
No yearly trends in EDG unreliability were apparent in the data for the 19871993 time frame.
The average of the plant-specific RG-1.108-based estimates of EDG train unreliability is inagreement (approximately 13% higher) with the average of the PRA/IPE estimates assumingan 8-hour run time of the EDG. Generally, the RG-1.108-based estimate for failure-to-startand maintenance out of service probability agree with their respective PRA/IPE counterparts.However, for a 24-hour mission time for the EDG train, the PRA/IPE estimate of failure to runis approximately a factor of 30 higher than the corresponding RG-1.108-based estimate.
Based on the mean reliability, all of the RG-1.108 plants (44) with a EDG target reliabilitygoal of 0.95 attain the target goal, provided that the unavailability of the EDG due tomaintenance is ignored. The reliability estimate for the overall population of EDGs at RG-1.108 plants with a 0.95 target goal is 0.987, with a corresponding uncertainty interval of
14
-
7/25/2019 nureg-cr-5500-vol-5.pdf
43/213
0.96, 0.99. For the RG-1.108 plants with a EDG target reliability goal of 0.975, eighteen of thenineteen RG-1.108 plants, based on the mean reliability, attain the reliability goal, providedthat the unavailability of the EDG due to maintenance is ignored. The EDGs associated withthe plant not achieving the 0.975 reliability goal had a mean reliability of 0.971. Whenuncertainty is accounted for, the EDGs at the plant not meeting the SBO target reliabilityhave approximately a 0.54 probability of meeting or exceeding the 0.975 reliability goal. The
reliability estimate for the overall population of EDGs at RG-1.108 plants with a 0.975 targetgoal is 0.985, with a corresponding uncertainty interval of 0.95, 0.99.
The effects of maintenance unavailability on the EDG reliability is significant based on theRG-1.108 plant data. The technical basis for the Station Blackout Rule assumes that suchunavailability was negligible (0.007). The estimate derived from the RG-1.108 formaintenance out of service is 0.03. Forty of the 44 RG-1.108 plants with a 0.95 targetreliability attain the goal when comparing mean estimates. The reliability estimate for theoverall population of EDGs at RG-1.108 plants with a 0.95 target goal is 0.956, with acorresponding uncertainty interval of 0.92, 0.99. For the RG-1.108 plants with a EDG targetreliability goal of 0.975, none of the EDGs meet the target reliability goal. The reliabilityestimate for the overall population of EDGs at RG-1.108 plants with a 0.975 target goal is0.954, with a corresponding uncertainty interval of 0.91, 0.98.
Based on the limited failure data (i.e., unplanned demand data only) for the non-RG-1.108plants, reliability parameters estimated for this population of EDGs tend to agree with thosegenerated for the RG-1.108 plants. The reliability estimate (without maintenanceunavailability) for the overall population of EDGs at the non-RG-1.108 plants is 0.984, with acorresponding uncertainty interval of 0.97, 0.99. Due to the sparseness of these data, thereliability estimates apply to both target reliability goals for the non-RG-1.108 plant group.The reliability estimate for the overall population of EDGs at the non-RG-1.108 plants withmaintenance unavailability included is 0.958, with a corresponding uncertainty interval of0.92, 0.98.
3.1 Unreliabil ity Estimates Based on RG-1.108 Data
Estimates of EDG train unreliability were calculated using the unplanned demands and cyclic testsreported in the LERs and Special Reports for plants reporting under Regulatory Guide 1.108requirements. The RG-1.108 data were used to develop failure probabilities for the observed failuremodes defined in Section 2. The types of data (i.e., cyclic test and unplanned demands) used forestimating probabilities for each of the EDG failure modes are identified in Table 2.
In calculating failure rates for individual failure modes, the RG-1.108 failure data were analyzed
and tested (statistically) to determine if significant variability was present in the data. All data were
initially analyzed by failure mode, by plant, by year, and by source (i.e., unplanned and cyclic demands).
Each data set was modeled as a binomial distribution with confidence intervals based on sampling
uncertainty. Various statistical tests (Fisher's exact test, Pearson chi-squared test, etc.) were then used to
test the hypothesis that there is no difference between the types and sources of data.
15
-
7/25/2019 nureg-cr-5500-vol-5.pdf
44/213
Table 2. RG-1.108 failure data sources used for estimating EDG-train failure mode probabilities.
Regulatory Guide 1.108 reporting
Unplanned Demands Cyclic tests
Failure mode failures demands failures demands
Failure to start (FTS) 2 181 17 1364
Failure to run (FTR)
Early (FTRE) 1 179 11 665
Middle (FTRM) 15 654
Late (FTRL) 1 639
Failure to recover from an FTS (FRFTS) 2 2
Failure to recover from an FTR (FRFTR) 0 3
Maintenance out of service (MOOS)a
while not in a shutdown condition
3 112
Maintenance out of service (MOOS)a
while in a shutdown condition
8 83
_______________________
a. In this report, MOOS contribution to train unreliability was determined using those unplanned demand failures
that resulted from the EDG being unavailable because it was in maintenance at the time of the demand.
Because of concerns about the appropriateness and power of the various statistical tests and anengineering belief that there are real differences between groups, an empirical Bayes method was used
regardless of the results of the statistical tests for differences. The simple Bayes method was used if noempirical Bayes could be fitted. [For more information on this aspect of the data analysis, see AppendicesA and C (Sections A-2.1 and C-1.1) for the details of the statistical approach to evaluate the RG-1.108data]. If the uncertainty in the calculated failure rate was dominated by random or statistical uncertainty(also referred to as sampling uncertainty), then the data were pooled. If, on the other hand, the uncertaintywas dominated by the plant-to-plant (or year-to-year, between unplanned and cyclic demands, etc.)variability, then the data were not pooled, and individual plant-specific failure rates were calculated basedon the factor that produced the variability.
The RG-1.108 failure data from cyclic testing and unplanned demands were used to estimate theFTS and FTR probabilities. Plant-to-plant variability (i.e., statistically significant) was detected in boththe FTS and FTR failure modes.
The EDG train run-time information reported in the unplanned demands generally lacked sufficientdetail to make an accurate determination of run times. The available data in the unplanned demandinformation were not sufficient in determining if a constant failure rate existed for the EDG train. EDGtrain run times were generally greater than one-half hour, but the information did not allow an assessmentto be made of when the EDG was secured. Therefore, one-half hour was assumed for the minimum runtime during an unplanned demand. To provide better accuracy in the estimation of hourly failure rates forthe FTR failure mode, data from cyclic tests were used. Even though the cyclic test data may not totallyrepresent the EDG train start sequence during an unplanned demand, the run period of the test representsEDG train performance after a succes
